如何在jsp页面上使用owasp-java-html-sanitizer的策略

Question

I have been given a task to prevent our website from Cross-site Scripting (XSS). The concept is new to me and I googled a lot and got owasp-java-html-sanitizer. I created my own policy with

public static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()

by using .allowAttributes , I designed it . But now I am clueless how to use it ...I found following code snippet:

System.err.println("[Reading from STDIN]");
    // Fetch the HTML to sanitize.
    String html = CharStreams.toString(new InputStreamReader(System.in,
            Charsets.UTF_8));
    // Set up an output channel to receive the sanitized HTML.
    HtmlStreamRenderer renderer = HtmlStreamRenderer.create(System.out,
    // Receives notifications on a failure to write to the output.
            new Handler<IOException>() {
                public void handle(IOException ex) {
                    Throwables.propagate(ex); // System.out suppresses
                                                // IOExceptions
                }
            },
            // Our HTML parser is very lenient, but this receives
            // notifications on
            // truly bizarre inputs.
            new Handler<String>() {
                public void handle(String x) {
                    throw new AssertionError(x);
                }
            });
    // Use the policy defined above to sanitize the HTML.
    HtmlSanitizer.sanitize(html, POLICY_DEFINITION.apply(renderer));
}

but how can I apply this to my JSP because I think this is for simple HTML. Please help.

Answer 1

You could attach the renderer to a StringWriter instead of System.out , but it's probably easier to just use the policy's sanitize convenience method :

 public java.lang.String sanitize(@Nullable java.lang.String html) 

A convenience function that sanitizes a string of HTML.

which returns a string of HTML that is safe to interpolate into your JSP page.